IBM Security QRadar SOAR

Hi all 

I am performing custom AQL query to QRADAR from SOAR to get additional payload on to the existing incident. Followed Example of searching QRadar events using offense id workflow
Activities performed: 

• qradar search function is used 
• modified post processing script to reflect new fields
• created new data table 

AQL query: 
SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% DAYS 

param1  = QIDNAME(qid) as 'Event Name',"Logon IP" as 'Logon IP',"Logon Location" as 'Logon Location',"username" as 'username'

preprocessing script : 
'inputs.qradar_query_param2 = incident.properties.qradar_id'
if rule.properties.qradar_query_all_results:
inputs.qradar_query_all_results = rule.properties.qradar_query_all_results

postprocessing script:
for event in results.events:
qradar_event = incident.addRow("qradar_logon_event")
qradar_event.LogonLocation = event.LogonLocation
qradar_event.username = event.username
qradar_event.Event_Name = event.EventName
qradar_event.Logonip = event.logonip


Error observed: 

An error occurred while processing the action acknowledgement. Additional information: Unable to run the post-processing script for Function QRadar Search due to the following errors: Invalid field name: LogonLocation

Any leads on where this needs to be corrected ? 
i have created a datatable with the fields as well but no luck

------------------------------
Vijay Reddy
------------------------------

Vijay,

I'm thinking you might need to change the fields you're trying to access in the event object to match the field names supplied in the pre-process script. It looks like the fields in the pre-process script have a space in them while the post-process script is removing that space.

for event in results.get("events"):
    qradar_event = incident.addRow("qradar_logon_event")

    # can use the .get() method to access keys with a space in the name
    qradar_event.LogonLocation = event.get("Logon Location")
    # or bracket notation, but thsi will throw a KeyError if the value doesn't exist
    qradar_event.Event_Name = event['Event Name']

    # continue for all of the other fields needed

If that doesn't work I'd recommend commenting out your whole post-process script and then adding this line to the beginning (uncommented so it runs)

incident.addNote(str(results))

And then you will see the full results object the function is returning and how you need to structure your post-process script. 

I'd be happy to help some more if needed

------------------------------
Liam Mahoney
------------------------------

Original Message:
Sent: Wed June 30, 2021 01:34 PM
From: Vijay Reddy
Subject: Custom AQL query to QRADAR fails saying Invalid Field Name | IBM SOAR

Hi all 

I am performing custom AQL query to QRADAR from SOAR to get additional payload on to the existing incident. Followed Example of searching QRadar events using offense id workflow
Activities performed: 

• qradar search function is used 
• modified post processing script to reflect new fields
• created new data table 

AQL query: 
SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% DAYS 

param1  = QIDNAME(qid) as 'Event Name',"Logon IP" as 'Logon IP',"Logon Location" as 'Logon Location',"username" as 'username'

preprocessing script : 
'inputs.qradar_query_param2 = incident.properties.qradar_id'
if rule.properties.qradar_query_all_results:
inputs.qradar_query_all_results = rule.properties.qradar_query_all_results

postprocessing script:
for event in results.events:
qradar_event = incident.addRow("qradar_logon_event")
qradar_event.LogonLocation = event.LogonLocation
qradar_event.username = event.username
qradar_event.Event_Name = event.EventName
qradar_event.Logonip = event.logonip


Error observed: 

An error occurred while processing the action acknowledgement. Additional information: Unable to run the post-processing script for Function QRadar Search due to the following errors: Invalid field name: LogonLocation

Any leads on where this needs to be corrected ? 
i have created a datatable with the fields as well but no luck

------------------------------
Vijay Reddy
------------------------------

Hi Liam 

Thank you for the direction. The second suggestion helped.

incident.addNote(str(results))​

also used incident.addNote(results.events) to  see how results are expected.

------------------------------
Vijay Reddy
------------------------------

Original Message:
Sent: Thu July 01, 2021 03:39 PM
From: Liam Mahoney
Subject: Custom AQL query to QRADAR fails saying Invalid Field Name | IBM SOAR

Vijay,

I'm thinking you might need to change the fields you're trying to access in the event object to match the field names supplied in the pre-process script. It looks like the fields in the pre-process script have a space in them while the post-process script is removing that space.

for event in results.get("events"):    qradar_event = incident.addRow("qradar_logon_event")    # can use the .get() method to access keys with a space in the name    qradar_event.LogonLocation = event.get("Logon Location")    # or bracket notation, but thsi will throw a KeyError if the value doesn't exist    qradar_event.Event_Name = event['Event Name']    # continue for all of the other fields needed

If that doesn't work I'd recommend commenting out your whole post-process script and then adding this line to the beginning (uncommented so it runs)

incident.addNote(str(results))

And then you will see the full results object the function is returning and how you need to structure your post-process script. 

I'd be happy to help some more if needed

------------------------------
Liam Mahoney

Original Message:
Sent: Wed June 30, 2021 01:34 PM
From: Vijay Reddy
Subject: Custom AQL query to QRADAR fails saying Invalid Field Name | IBM SOAR

Hi all 

I am performing custom AQL query to QRADAR from SOAR to get additional payload on to the existing incident. Followed Example of searching QRadar events using offense id workflow
Activities performed: 

• qradar search function is used 
• modified post processing script to reflect new fields
• created new data table 

AQL query: 
SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% DAYS 

param1  = QIDNAME(qid) as 'Event Name',"Logon IP" as 'Logon IP',"Logon Location" as 'Logon Location',"username" as 'username'

preprocessing script : 
'inputs.qradar_query_param2 = incident.properties.qradar_id'
if rule.properties.qradar_query_all_results:
inputs.qradar_query_all_results = rule.properties.qradar_query_all_results

postprocessing script:
for event in results.events:
qradar_event = incident.addRow("qradar_logon_event")
qradar_event.LogonLocation = event.LogonLocation
qradar_event.username = event.username
qradar_event.Event_Name = event.EventName
qradar_event.Logonip = event.logonip


Error observed: 

An error occurred while processing the action acknowledgement. Additional information: Unable to run the post-processing script for Function QRadar Search due to the following errors: Invalid field name: LogonLocation

Any leads on where this needs to be corrected ? 
i have created a datatable with the fields as well but no luck

------------------------------
Vijay Reddy
------------------------------